Login

Oracle Linux 6 / 7 : java-1.7.0-openjdk (ELSA-2017-3392)

Medium Nessus Plugin ID 105068

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

From Red Hat Security Advisory 2017:3392 :An update for java-1.7.0-openjdk is now available for Red HatEnterprise Linux 6 and Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a securityimpact of Important. A Common Vulnerability Scoring System (CVSS) basescore, which gives a detailed severity rating, is available for eachvulnerability from the CVE link(s) in the References section.The java-1.7.0-openjdk packages provide the OpenJDK 7 Java RuntimeEnvironment and the OpenJDK 7 Java Software Development Kit.Security Fix(es) :* Multiple flaws were discovered in the RMI and Hotspot components inOpenJDK. An untrusted Java application or applet could use these flawsto completely bypass Java sandbox restrictions. (CVE-2017-10285,CVE-2017-10346)* It was discovered that the Kerberos client implementation in theLibraries component of OpenJDK used the sname field from the plaintext part rather than encrypted part of the KDC reply message. Aman-in-the-middle attacker could possibly use this flaw to impersonateKerberos services to Java applications acting as Kerberos clients.(CVE-2017-10388)* It was discovered that the Security component of OpenJDK generatedweak password-based encryption keys used to protect private keysstored in key stores. This made it easier to perform password guessingattacks to decrypt stored keys if an attacker could gain access to akey store. (CVE-2017-10356)* Multiple flaws were found in the Smart Card IO and Securitycomponents in OpenJDK. An untrusted Java application or applet coulduse these flaws to bypass certain Java sandbox restrictions.(CVE-2017-10274, CVE-2017-10193)* It was found that the FtpClient implementation in the Networkingcomponent of OpenJDK did not set connect and read timeouts by default.A malicious FTP server or a man-in-the-middle attacker could use thisflaw to block execution of a Java application connecting to an FTPserver. (CVE-2017-10355)* It was found that the HttpURLConnection and HttpsURLConnectionclasses in the Networking component of OpenJDK failed to check fornewline characters embedded in URLs. An attacker able to make a Javaapplication perform an HTTP request using an attacker provided URLcould possibly inject additional headers into the request.(CVE-2017-10295)* It was discovered that the Security component of OpenJDK could failto properly enforce restrictions defined for processing of X.509certificate chains. A remote attacker could possibly use this flaw tomake Java accept certificate using one of the disabled algorithms.(CVE-2017-10198)* It was discovered that multiple classes in the JAXP, Serialization,Libraries, and JAX-WS components of OpenJDK did not limit the amountof memory allocated when creating object instances from the serializedform. A specially crafted input could cause a Java application to usean excessive amount of memory when deserialized. (CVE-2017-10349,CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345,CVE-2017-10348, CVE-2017-10350)Bug Fix(es) :* Previously, OpenJDK could not handle situations when the kernelblocked on a read even when polling the socket indicated that a readis possible. As a consequence, OpenJDK could hang indefinitely. Withthis update, OpenJDK polls with a timeout and performs a non-blockingread on success, and it no longer hangs in these situations.(BZ#1508357)